[00:00.660 --> 00:07.140]  Welcome, everyone. I'm really excited to be presenting at our virtual DEF CON this year
[00:07.560 --> 00:13.340]  in the Biohacking Village. I'll be talking today about cybersecurity-informed consent.
[00:14.880 --> 00:20.500]  A few disclosures before I begin my talk. I previously worked at the Cleveland Clinic,
[00:20.500 --> 00:26.880]  and I have a little bit of equity there. I received salary support from the NIH,
[00:26.880 --> 00:31.860]  for which I am eternally grateful. And I do a lot of volunteer work for the Global Alliance
[00:31.860 --> 00:37.380]  for Genomics and Health, the National Society of Genetic Counselors. And I'm a founding member
[00:37.380 --> 00:42.700]  of the Digital Medicine Society, and I will shamelessly plug them now. You should join, too.
[00:43.060 --> 00:49.620]  And also, really importantly, the work that I'm presenting, I have not done by myself.
[00:51.400 --> 00:59.040]  Specifically, I had three close collaborators. So last year at DEF CON, Andy Corvos,
[00:59.040 --> 01:04.240]  who's pictured on the left there, introduced me to Jeff and Christian, who are pictured on the right,
[01:04.240 --> 01:12.680]  to merge the minds together, bringing my ethics experience, Andy's engineering experience,
[01:12.680 --> 01:19.100]  and Jeff and Christian's experience as doctors and security researchers, all
[01:19.100 --> 01:25.880]  into one pool to create this idea of cybersecurity informed consent.
[01:28.100 --> 01:33.320]  So today, I'm going to talk a little bit about the cybersecurity of medical devices,
[01:33.320 --> 01:38.140]  which is background for the ethics folks that might be watching this talk. Then I'm going to
[01:38.140 --> 01:42.700]  be talking a little bit about informed consent, which will be perhaps some background that's
[01:42.700 --> 01:46.040]  good for the engineering folks. And then we'll bring it all together
[01:46.760 --> 01:50.440]  in the concept of cybersecurity informed consent.
[01:52.340 --> 01:56.560]  So let's talk about the cybersecurity of medical devices. And for many of you in the
[01:56.560 --> 02:01.820]  biohacking village, this will seem very basic. But for people who are new to this space,
[02:01.820 --> 02:05.180]  hopefully this will help you catch on to what's going on here.
[02:06.180 --> 02:11.100]  So it's important to note that medical devices are extremely common in the United States.
[02:11.100 --> 02:17.140]  More than 2% of Americans have some sort of implantable medical device within them,
[02:17.140 --> 02:23.860]  which is truly amazing. The U.S. is the largest medical device market in the world.
[02:23.860 --> 02:29.980]  And it's a lot, a lot of money that's involved in this. Another interesting point, though,
[02:29.980 --> 02:37.000]  is that most medical device companies are very small. And I think that that's a really important
[02:37.000 --> 02:41.300]  point as we think about the concept of cybersecurity informed consent, that many of
[02:41.300 --> 02:51.620]  these groups are really small shops. Medical devices are regulated. So the FDA is responsible
[02:51.620 --> 02:57.820]  for the regulation of medical devices. They have oversight on oodles and oodles of devices,
[02:57.820 --> 03:06.400]  device manufacturers, and device facilities. And it's important to note that the FDA is not
[03:06.400 --> 03:14.860]  the only agency that's involved in cybersecurity. So the FTC and the Department of Homeland Security,
[03:14.860 --> 03:18.440]  among other agencies, each have a piece of the cybersecurity
[03:19.280 --> 03:30.530]  infrastructure pie when it comes to regulation. Oodles of medical devices are also connected
[03:30.530 --> 03:38.310]  devices. So these figures are from this paper on cybersecurity features of medical devices,
[03:38.310 --> 03:47.350]  which was a tremendous paper that was published in 2019. So in 2016, 18% of new devices had software.
[03:48.710 --> 03:53.750]  And that has increased really dramatically over time. And certainly, as we think about
[03:53.750 --> 04:01.770]  2018, 2019, 2020, the percentage of devices which are connected has not decreased over that time.
[04:02.570 --> 04:09.790]  However, the amount of cybersecurity content that's included in those devices, that's
[04:09.790 --> 04:17.390]  disclosed in those devices, is relatively small. So the graph on the top has a different
[04:17.390 --> 04:22.590]  y-axis scale than the graph on the bottom. So you can see increasing number of devices that
[04:22.590 --> 04:29.500]  have software, and then slowly increasing the number that include cybersecurity content.
[04:35.760 --> 04:40.980]  And connected devices have vulnerability. So anything that's connected to the internet,
[04:40.980 --> 04:48.940]  whether it's your phone, or your watch, or your computer, or your implanted medical device,
[04:48.940 --> 04:55.400]  any connected device has cybersecurity vulnerability. There is no device that does not have
[04:55.400 --> 05:02.300]  cybersecurity vulnerability that is connected to the internet. This was first highlighted in
[05:03.640 --> 05:12.320]  2008, and actually influenced Dick Cheney's choice of Pacemaker, because he was worried
[05:12.320 --> 05:17.460]  about cybersecurity vulnerability. On the right-hand side of the screen, you can see
[05:17.460 --> 05:25.840]  some examples of cybersecurity concerns within the implantable medical device domain. So IMD
[05:25.840 --> 05:31.300]  is implantable medical device. So you can see there are challenges with it. Authentication,
[05:31.300 --> 05:38.220]  integrity, confidentiality, authorization, all of these domains each has very specific
[05:38.740 --> 05:46.100]  concerns when applied to implantable medical devices. So there are lots of devices out there
[05:46.100 --> 05:52.340]  on the market. More and more of them are connected. Any connected device has a vulnerability.
[05:54.620 --> 06:03.860]  Now let's talk about informed consent. So it's really important to remember that informed consent
[06:03.860 --> 06:12.800]  is a process, not a thing. So you can't just say, I've signed a paper, or I've said yes or no to a
[06:12.800 --> 06:19.960]  question. Informed consent is really a process, a process of conversation between two parties.
[06:19.960 --> 06:26.720]  Planned Parenthood has this fabulous way of remembering the elements of informed consent,
[06:26.720 --> 06:33.100]  FRISE. So consent needs to be freely given. It needs to be reversible. It needs to be informed,
[06:33.100 --> 06:38.880]  meaning you know what you're getting yourself into. In the case of consent in the context of
[06:38.880 --> 06:44.220]  Planned Parenthood, they require enthusiastic. Within the medical context, sometimes the
[06:44.220 --> 06:50.160]  enthusiasm is a little bit muted. That's fine. And it also needs to be specific. So when you're
[06:50.160 --> 06:56.740]  consenting to something, you really need to be informed what it is you're deciding on, and you
[06:56.740 --> 07:02.900]  need to know the specifics of what you're deciding on. And this seems like pretty obvious, but it
[07:02.900 --> 07:08.720]  sometimes gets lost in translation when you get into a medical context, and certainly when you
[07:08.720 --> 07:16.980]  start to think about connected medical devices. So informed consent in medical care and research
[07:16.980 --> 07:23.460]  has those same properties, specific, informed, voluntary, and reversible. It's been described by
[07:23.800 --> 07:29.980]  a lot of very famous statements in the ethics community. For example, the Nuremberg Code,
[07:29.980 --> 07:36.860]  and the Declaration of Helsinki, and the Belmont Report, all of which were seminal pieces
[07:37.680 --> 07:44.640]  of ethics literature that pointed out the requirements for informed consent within
[07:44.640 --> 07:52.260]  medical care and within research. Informed consent is also mandated by law. So within the United
[07:52.260 --> 07:59.300]  States, here are some of the specific codes and specific agencies that require informed consent
[07:59.300 --> 08:05.000]  within the medical care and medical research setting. The quote on the right is actually from
[08:05.000 --> 08:14.180]  one of the first decisions in the United States around informed consent. In this case, in New York
[08:14.180 --> 08:22.460]  State, there was a case of medical negligence because a surgeon had not properly informed
[08:22.940 --> 08:32.820]  the person that they were operating on about the potential outcomes of what might happen to them
[08:32.820 --> 08:38.880]  when they received treatment. So we have a long precedent, more than 100 years of precedent in the
[08:38.880 --> 08:48.020]  United States legally for informed consent in the medical setting. So this is a really busy slide.
[08:48.580 --> 08:54.300]  What's important to know about it is that we're not good at informed consent. So although we know
[08:54.300 --> 08:58.840]  informed consent is really important in the medical context, we're not really good at it.
[08:58.840 --> 09:04.020]  So if you look at the green box, what the green box is pointing out is the number of studies that
[09:04.020 --> 09:09.640]  have looked at informed consent that have shown that the people in those studies had adequate
[09:09.640 --> 09:18.840]  understanding of key components of informed consent. For example, six out of 21 studies
[09:19.520 --> 09:25.640]  showed adequate understanding of the information being given in the informed consent process,
[09:25.640 --> 09:32.360]  which is about 29 percent of the time. And then you can go over to the yellow box.
[09:32.360 --> 09:39.300]  That's the moderate understanding. And moderate in this study meant that 50 percent of people
[09:39.300 --> 09:47.140]  to 79 percent of people got questions right around understanding the information. So most people
[09:47.140 --> 09:52.400]  fall into that bucket. And then you can see a really large percentage of people fall into the
[09:52.400 --> 09:57.140]  inadequate bucket, meaning that they understood less than half of the information that was given
[09:57.140 --> 10:04.480]  to them. So although we know that consent is important, the practice of informed consent in
[10:04.480 --> 10:16.220]  medicine isn't very strong. That's a problem, obviously. One of the reasons is literacy. So
[10:16.220 --> 10:24.620]  informed consent documentation in medicine tends to be written by lawyers. And lawyers, although
[10:24.620 --> 10:31.060]  well-meaning, don't necessarily write in language that everyday people can understand. One in five
[10:31.060 --> 10:36.760]  Americans read at or below the fifth grade reading level. One in three Americans has basic or below
[10:36.760 --> 10:43.160]  basic health literacy. And as we all know, stress, anxiety, pain, depression, all of these things can
[10:43.160 --> 10:50.240]  lower our reading comprehension and our reading ability. And that's what we find in the medical
[10:50.240 --> 10:56.580]  context. So if you're going in to see a doctor to get an implanted medical device,
[10:56.580 --> 11:04.700]  highly likely that you're either stressed, anxious, in pain, or depressed about this medical need.
[11:04.700 --> 11:09.740]  And so that will really impact people's ability to understand what it is that they're getting
[11:09.740 --> 11:15.380]  themselves into. So it's important for us to know about the limitations of informed consent as we
[11:15.380 --> 11:21.060]  think about telling people about the cybersecurity vulnerabilities of medical devices.
[11:23.000 --> 11:28.540]  Fortunately, innovation in informed consent is happening right now in research, which is
[11:28.540 --> 11:35.800]  tremendous. So my group at Sage Bionetworks, which is a nonprofit open science organization,
[11:35.800 --> 11:42.840]  has been working on creating electronic informed consent processes, which are visually engaging,
[11:42.840 --> 11:48.420]  which distill the information that's being given and allow people to navigate through at their own
[11:48.420 --> 11:56.240]  pace. The All of Us Research Program, which is a massive research initiative, has done some
[11:56.240 --> 12:03.280]  incredible work, innovative work, with informed consent. They wanted to enroll a really diverse
[12:03.280 --> 12:08.700]  patient population into their study, and so they really put a lot of the time and attention into
[12:08.700 --> 12:13.980]  their informed consent process. It's written at the fifth grade reading level, it includes little
[12:13.980 --> 12:21.980]  videos to help people understand, and there are get help buttons along the way. So although the state
[12:21.980 --> 12:27.700]  of informed consent hasn't been so good up until now, there's a lot of work that's being done right
[12:27.700 --> 12:34.680]  now to improve informed consent. And what we're finding... oh and here's some more information
[12:34.680 --> 12:40.040]  about the All of Us Research Program's informed consent... but what we're finding is that this
[12:40.040 --> 12:49.840]  effort is paying off. So in that study that I showed you with the green, yellow, and red boxes,
[12:50.420 --> 12:57.800]  they said only one out of 15 studies showed an adequate understanding that participating in
[12:57.800 --> 13:04.180]  research is not the same as receiving medical care. So one of the questions, a quiz question
[13:04.180 --> 13:08.580]  that's posed to people after they complete the All of Us informed consent process is,
[13:08.580 --> 13:13.860]  what's the purpose of All of Us? And one of the question answers is to give medical advice and
[13:13.860 --> 13:20.940]  treatment. And you can see from this graph more than 90 percent of people, regardless of their
[13:20.940 --> 13:26.720]  educational attainment, were able to correctly answer the question that the purpose of All of Us
[13:26.720 --> 13:34.040]  is to help scientists make discoveries about health. So our innovation is working, which is
[13:34.040 --> 13:39.920]  great. So the state of informed consent hasn't been so good. We're working on ways to improve
[13:39.920 --> 13:45.540]  it. It looks like those efforts are really starting to pay dividends. So how does this
[13:45.540 --> 13:50.620]  all come together when we start to think about cybersecurity informed consent?
[13:55.600 --> 14:00.940]  All right, so cybersecurity informed consent is a combination of ethics and engineering
[14:00.940 --> 14:06.100]  in medicine. So you need to take all the ethics folks' knowledge and all the engineering folks'
[14:06.100 --> 14:14.670]  knowledge and put it together. So the cybersecurity of medical devices and informed consent together
[14:14.670 --> 14:23.130]  is this concept of cybersecurity informed consent. It's an informing interaction for patients who
[14:23.130 --> 14:29.610]  are getting a connected implantable medical device. The purpose of cybersecurity informed
[14:29.610 --> 14:36.110]  consent is to tell the patient about cybersecurity and its implications for their soon-to-be
[14:36.110 --> 14:41.150]  implanted device. So we're trying to inform people about the device that they're getting.
[14:41.150 --> 14:44.970]  So when we think back to the principles of informed consent, one of the things is that it
[14:44.970 --> 14:49.570]  has to be specific and it has to be informed. So people need to know what it is that's happening
[14:49.570 --> 14:55.810]  to them and they need to understand some of the specifics of what's going on. Cybersecurity
[14:55.810 --> 15:00.990]  informed consent is not yet federally mandated. So there's no guidelines for how it should fit into
[15:00.990 --> 15:05.930]  workflows or what topics should be covered or how they should be addressed.
[15:06.890 --> 15:12.690]  And for now, we're just focusing cybersecurity informed consent on implantable devices because
[15:12.690 --> 15:18.750]  that seems to be, let's say, one of the areas of most urgent need. So if you're getting something
[15:18.750 --> 15:26.530]  put inside of your body, understanding its limitations and risks is really, really critical.
[15:28.530 --> 15:37.170]  We created a straw man or straw person diagram of how cybersecurity could work within
[15:38.430 --> 15:46.650]  a current clinical workflow. The idea would be that a person comes in for their pre-surgical
[15:46.650 --> 15:52.370]  visit. So when you have a surgery, usually you come in a few days before to have a medical checkup
[15:52.370 --> 16:00.050]  to make sure everything's good before your surgical date. At that visit, patients could
[16:00.050 --> 16:07.030]  be told about cybersecurity informed consent and then they could take the time to navigate themselves
[16:07.030 --> 16:13.250]  through a cybersecurity informed consent process. So on the left hand side, you can see here
[16:14.130 --> 16:19.270]  a person comes into the clinic some number of days before they're getting their implantable
[16:19.270 --> 16:23.850]  device. They have all of their pre-op activities. And then in the third step,
[16:24.690 --> 16:30.790]  they make sure that they have this cybersecurity informed consent completed.
[16:32.430 --> 16:38.650]  After the pre-op appointment, the idea on the right side here is that the patient would self-navigate
[16:38.650 --> 16:44.010]  through this cybersecurity informed consent. So walk themselves through a digital informed consent
[16:44.010 --> 16:48.690]  like the ones that we have been using in the All of Us research program and in other
[16:48.690 --> 16:56.550]  innovative research efforts, telling people about cybersecurity and how we keep you safe.
[16:56.650 --> 17:01.330]  And then the patient can ask questions and then they sign off on it and then they're ready to go
[17:01.330 --> 17:08.630]  for their implantable device. So Jeff, Andy, and Christian and I put together this straw man
[17:08.630 --> 17:15.010]  document to sort of prompt people to think about would this actually work in clinic.
[17:16.970 --> 17:23.410]  We thought about this workflow specifically because we wanted to capitalize on each group's
[17:23.410 --> 17:29.210]  strengths. So the people who know the most about the cybersecurity of the devices that are getting
[17:29.210 --> 17:35.210]  implanted into people are actually the manufacturers themselves. And so if we could
[17:35.210 --> 17:41.670]  create an informed consent process that the manufacturers themselves contributed to, then we
[17:41.670 --> 17:50.010]  might have one that has the most accurate information. The time is most limited on the
[17:50.010 --> 17:54.670]  day of surgery and people are also the most worried on the day of their surgery when they're getting an
[17:54.670 --> 18:01.110]  implanted medical device. And so making sure that that consent happens in advance so that people can
[18:01.110 --> 18:06.430]  ask questions and take the time and not feel distressed was one of the thoughts that we had
[18:06.430 --> 18:12.070]  in designing that straw man document. We also noted that most people get their information
[18:12.070 --> 18:17.870]  online these days. Although there is a digital divide, people who are older and in more rural
[18:17.870 --> 18:25.050]  areas tend to be less connected. So an online process might not work for everyone.
[18:26.790 --> 18:31.890]  And also then doing things from home gives people time to think and talk to loved ones and come up
[18:31.890 --> 18:38.610]  with questions. So this was our rationale for designing this original straw man document.
[18:39.970 --> 18:46.930]  We have received a lot of critique on it, which is tremendous actually. So we've shared this at
[18:47.570 --> 18:54.790]  the CyberMed Summit in the fall last year and with a number of different groups of people,
[18:54.790 --> 19:02.430]  including folks from the FDA and a working group that we've convened of doctors, manufacturers,
[19:04.250 --> 19:10.290]  hackers, and ethicists like myself. And so here are some of the critiques. So doctors are used to
[19:10.290 --> 19:17.210]  the sole source of informed consent for medical devices. Well, for all medical care. And so
[19:17.970 --> 19:21.890]  many of the doctors that we've talked to have felt a little bit nervous about
[19:23.690 --> 19:32.310]  having patients navigating a device manufacturer's information around cybersecurity.
[19:32.870 --> 19:37.130]  Patients are also used to getting or doing informed consent with their doctor. So this would
[19:37.130 --> 19:44.290]  be a different step for them. There's also been the critique of if there's no federal mandate,
[19:44.290 --> 19:50.690]  why rock the boat? To which I would say there's an ethical mandate for people to be informed. So
[19:50.690 --> 19:59.410]  we're rocking the boat. Another critique is that cybersecurity is moving so fast. How can we make
[19:59.570 --> 20:05.250]  a cybersecurity informed consent process that's still relevant after three months or after a year?
[20:05.250 --> 20:11.630]  Any informed consent process for medical care needs to go through an ethics review process,
[20:11.630 --> 20:19.490]  and a legal review process at the hospital where it's being used. And that process takes time. So
[20:19.490 --> 20:26.030]  we can't be constantly changing a cybersecurity informed consent process, even though the field
[20:26.030 --> 20:32.470]  of cybersecurity is always evolving. There's concern about cybersecurity informed consent
[20:32.470 --> 20:38.810]  disincentivizing people from getting connected devices. So although we know connected devices,
[20:38.810 --> 20:46.130]  connected medical devices can really truly improve care, people may be nervous about
[20:46.130 --> 20:51.730]  the vulnerabilities and may want not to get connected devices, which physicians,
[20:51.730 --> 20:58.770]  doctors think that would be really bad. People have asked, do patients really want all of this
[20:58.770 --> 21:03.810]  information? There's some empirical evidence that suggests that yes, absolutely, they do. And
[21:03.810 --> 21:11.330]  certainly, when we look at the informed consent literature, patients want to know what's happening
[21:11.330 --> 21:18.870]  with their bodies. Sometimes implanted medical devices go in emergently, and so consent after
[21:18.870 --> 21:25.630]  the fact. So that plays with our proposed workflow a little bit. And then there's the question of
[21:25.630 --> 21:31.050]  who's the responsible party. So is the doctor responsible for making sure the cybersecurity
[21:31.050 --> 21:38.310]  informed consent happens? Would it be the manufacturer? Would it be the hospital system?
[21:38.410 --> 21:45.150]  Who's responsible for what? So these are all really, really good critiques. And we are so happy
[21:45.150 --> 21:53.470]  to have received them and to be working with them to improve our model to come up with a
[21:53.470 --> 22:00.570]  second version. One last point that's been raised as a critique is the probability of risk. And the
[22:00.570 --> 22:07.930]  probability of risk, I think, is really an important point for us to address here. So
[22:08.670 --> 22:15.210]  usually we think about risk in two dimensions, its probability and its magnitude. So the probability
[22:15.210 --> 22:20.750]  of harm occurring as a result from participation in a research study or participation in medical
[22:20.750 --> 22:29.610]  care. And federally defined minimal risk is when the magnitude of anticipated harm is not greater
[22:29.610 --> 22:36.230]  than ordinarily encountered in everyday life. So it's all about probability of harm
[22:37.520 --> 22:46.510]  and magnitude of harm. But probability and magnitude aren't such good measures when it
[22:46.510 --> 22:53.910]  comes to cyber security, right? So if you lived in South Africa, this sign might not prevent you
[22:53.910 --> 22:59.010]  from swimming because sharks are sighted there every day. But if you lived like me on the shores
[22:59.010 --> 23:05.310]  of the Great Lakes of the United States, you might see a sign like this and say, oh my gosh,
[23:05.950 --> 23:11.830]  the apocalypse is nigh. We're not supposed to have sharks here. So Suzanne Schwartz put together
[23:11.830 --> 23:18.850]  this slide and she presented it at the CyberMed Summit last fall. And I thought it was just a
[23:21.530 --> 23:28.450]  spectacular slide looking at the exploitability of devices and the severity of patient harm
[23:28.450 --> 23:36.970]  if exploited. And so this was her reframing of risk. And I think that this is something that's
[23:36.970 --> 23:43.590]  really salient to cyber security informed consent. So we're not really looking at the
[23:43.590 --> 23:51.530]  probability of patient harm, just is the device exploitable and how bad is it if it is
[23:52.090 --> 24:01.590]  exploited. And so when it comes to a implantable medical device like a pacemaker,
[24:01.590 --> 24:09.690]  you can imagine that if the device was exploited, it could have catastrophic impact for the person
[24:09.690 --> 24:14.310]  who had it because their heart wouldn't be receiving the signal to keep it on rhythm.
[24:14.630 --> 24:22.030]  So even if the device is not very exploitable, it still has catastrophic, it could have
[24:22.030 --> 24:26.850]  catastrophic implications for patients. And so for this reason, we're really thinking that
[24:26.850 --> 24:31.350]  cyber security informed consent is important because people should know what cyber security
[24:31.350 --> 24:39.530]  is, understand what device manufacturers are doing to control for that risk, and also be reassured
[24:39.530 --> 24:46.930]  that their devices are at the highest standard of security. And that they're constantly being
[24:46.930 --> 24:52.630]  looked at by groups like those at the biohacking village. So really, this sort of brings it all
[24:52.630 --> 24:59.030]  back to the mission of the biohacking village, this little ethics side project that we have going.
[25:00.430 --> 25:05.450]  So our next steps are to make a mock-up of cyber security informed consent. So what
[25:05.450 --> 25:11.490]  would it look like if a patient was navigating this cyber security informed consent? What kinds
[25:11.490 --> 25:16.570]  of information are we going to tell them? How are we going to tell it to them? And then we want to
[25:16.570 --> 25:21.910]  try it out with one or more devices in one or more clinics. And so we've convened a group of people
[25:22.630 --> 25:29.150]  to help us work on this, and I want to thank all of them. We have a huge group of working group
[25:29.150 --> 25:37.390]  members. We also were graced with the free and excellent labor of Duke University capstone
[25:37.390 --> 25:45.590]  students who helped us out. Folks from the FDA have given us comment on our proposals as we've
[25:45.590 --> 25:51.630]  been going along, and we would love for you to join us as well. So if you're interested in joining,
[25:51.630 --> 25:58.070]  please email me. There's my email address, or send me a direct message on Twitter, and I would be
[25:58.070 --> 26:05.370]  happy to include you in our group as we move forward. And with that, I want to thank the Biohacking
[26:05.370 --> 26:12.870]  Village and the device lab at the Biohacking Village, and hopefully next summer we'll all be
[26:12.870 --> 26:18.870]  together in Las Vegas again so that we can see beautiful things like the flowers and the chihuly
[26:18.870 --> 26:23.430]  glass in the Bellagio. Thanks everyone!
